The Samourai Bitcoin wallet, which implements the whirlpool variant of the zerolink protocol, is vulnerable to key tagging attacks due to the absence of any key consistency checks, completely defeating the privacy claims of the protocol.
In Whirlpool CoinJoin transactions, clients utilize a variant of ZeroLink nominate Bitcoin UTXOs as inputs into a collaborative transaction that allows them to send a fixed amount back to themselves anonymously, somewhat analogous to a mixing stage in a mixnet. Inputs and outputs are registered from separate tor circuits. In order to reject unauthorized outputs, this variant of Zerolink uses RSA blind signatures. Blind signatures are given in response to valid input registrations. An unblinded signature and message is then used as an authorization token, allowing the server to ensure it corresponds to one of the inputs, ostensibly without revealing which one.
The server's blind signing key is obtained by the client by extracting it from the response to the input registration request.
Subsequently, this key is used to make blind signing requests during the confirmation phase.
After a blind signature is given to the client the unblinded signature is used to request an output registration.
Because the key is not announced a priori, nor is it signed by the participants' spending keys before output registration or signing, the server can provide each input with a unique RSA key. Since the unblinded signatures are made by different keys, the server can learn the mapping from inputs to outputs.